Debian Bug report logs -
#900608
nikto: CVE-2018-11652
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 1 Jun 2018 22:00:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version nikto/1:2.1.5-1
Fixed in version nikto/1:2.1.5-3
Done: Vincent Bernat <bernat@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Vincent Bernat <bernat@debian.org>:
Bug#900608; Package src:nikto.
(Fri, 01 Jun 2018 22:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Vincent Bernat <bernat@debian.org>.
(Fri, 01 Jun 2018 22:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nikto
Version: 1:2.1.5-1
Severity: grave
Tags: patch security upstream fixed-upstream
Justification: user security hole
Hi,
The following vulnerability was published for nikto.
CVE-2018-11652[0]:
| CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote
| attackers to inject arbitrary OS commands via the Server field in an
| HTTP response header, which is directly injected into a CSV report.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11652
[1] https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7
Regards,
Salvatore
Reply sent
to Vincent Bernat <bernat@debian.org>:
You have taken responsibility.
(Sat, 02 Jun 2018 06:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 02 Jun 2018 06:51:09 GMT) (full text, mbox, link).
Message #10 received at 900608-close@bugs.debian.org (full text, mbox, reply):
Source: nikto
Source-Version: 1:2.1.5-3
We believe that the bug you reported is fixed in the latest version of
nikto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900608@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated nikto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Jun 2018 08:07:33 +0200
Source: nikto
Binary: nikto
Architecture: source
Version: 1:2.1.5-3
Distribution: unstable
Urgency: high
Maintainer: Vincent Bernat <bernat@debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
nikto - web server security scanner
Closes: 900608
Changes:
nikto (1:2.1.5-3) unstable; urgency=high
.
* d/control: point Vcs-* to salsa.debian.org.
* d/patches: fix CSV injection vulnerability. CVE-2018-11652.
Closes: #900608.
Checksums-Sha1:
8884037995ecfa0e3a484e397e6213b7201f4207 1802 nikto_2.1.5-3.dsc
c8f58f77726397e4fafbc482340b1377d0c4aee6 6872 nikto_2.1.5-3.debian.tar.xz
b4662a49219d7370a09226af3cb150ce9c5f111c 5606 nikto_2.1.5-3_amd64.buildinfo
Checksums-Sha256:
5105eb13f6e2b18f67719051c8f409daf69893d98d800a9d831114bb32fe1bf5 1802 nikto_2.1.5-3.dsc
dcb94f8c24ca4119f0810177ce29a647dc92c0ea235ef67cabc30c314a7d26b4 6872 nikto_2.1.5-3.debian.tar.xz
d5da87f98c75b7d59c7b41f9e85d36ca2771956fb8b26e933fc03b6ff5ee7d68 5606 nikto_2.1.5-3_amd64.buildinfo
Files:
b9edd7db4294222579b60d37c1e0f70d 1802 non-free/net extra nikto_2.1.5-3.dsc
1d7573b08fa3d836bfcc50c3348701fe 6872 non-free/net extra nikto_2.1.5-3.debian.tar.xz
7b62ccf705e93198db33c06a171a1d42 5606 non-free/net extra nikto_2.1.5-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEErvI0h4bzccaJpzYAlaQv6DU1JfkFAlsSOdwSHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5+NEP/Rkwplm677cs2wFJp12gtwa3Wo1AbE2o
8TKigebitm4sTku/GjbaP94vLtuHoa3YXm+guYKU28rN1UaAyOijufPES25Tpapa
0ue6pmhJZG6jbEh+gbPk3oDiC5IubBFQNSxsvLAfx+f8TKsT7LL96uYvaBGfIkfm
mvDOl79xW4i6nebP1rhq/0TnQybJ2ud3LoywLMa4AaWhojITeH1pxGc+4lPWsUJA
giB/nXzJTHMcNQm7nKbz0d0cZNcaWn6H6suUhnjwHXxR3AN1Icux0LwtJef1Lc11
nhJSZn8DgWwddsRe8/OQ0MvauR/gZjzOY6EZw+MJHkoGGDyl+5Seqo01UQLitgVj
TolaaU/i+b4TGHqmU95cM/4nn2vhS+eJPM96bq/LOT2p915CtpAohCx4Oa43Dbqb
WwNAdTBQW8AsC5uwPKmyjhh5LQoIf80cLOKnJEIniop1Lzrmkrhx+2wm5tTZsFD6
cnGRv6W+Wl9AR4wHc977H+EetB2W3sF8YgbbFcW/fIo61P5M0lQsOiIsyAchxeM+
xl8tuSpqFBM/cVyAC+zlvFRvCHihJJ/uwdWWaWxVFQWnxD6vewS/x/qMEMvkkykQ
KL2HFHH83XJh6RDoDFmWTz8nsIMXUls3rlkQc0pUOhLdkluhNtScHLgisgwrKPIM
gf0bOUo1nPR8
=/KnC
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:37:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon